Primary

Context

Bulwark Webmail Password Exposure Vulnerability in Auth Session API Endpoint

Vulnerability

A vulnerability in Bulwark Webmail, prior to version 1.4.10, allowed the GET /api/auth/session endpoint to return the user's plaintext password in the JSON response. This issue exposed credentials to browser logs, local caches, and network proxies. The vulnerability has been patched in version 1.4.10, which now only returns the server URL and username, while session credentials have been moved to a new PUT handler that is protected to prevent cross-origin and unauthorized CLI access.

Impact

This vulnerability allowed for unauthorized exposure of user passwords, which could be intercepted by browser logs, local caches, or network proxies.

Remediation

Users can upgrade to Bulwark Webmail version 1.4.10 or later to address this vulnerability.

Added: Apr 2, 2026, 9:24 PM

Updated: Apr 2, 2026, 9:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bulwark Webmail Password Exposure Vulnerability in Auth Session API Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating